Jump to content
Welcome to our new Citrix community!

Enable HTTPS on Storefront 3.0 without Netscaler and without publishing VDA / Certificate and Redirect to a .local domain


Mohammad Ganji

Recommended Posts

Hi,

 

I don't have a Netscaler gateway and want to use direct access from Internet to storefront for users and have a bunch of questions:

 

1- I'd like to use HTTPS. Is Netscaler mandatory for me to publish storefront on Internet? If it is not, is it mandatory to publish my VDA servers on the Internet too? Better to say: is it possible to enable HTTPS on Storefront, publish it (without using a Netscaler appliance) and not publishing the VDA servers? (Configure Storefront to handle all the traffic from the clients to it and to it from VDA's through itself)

 

2- The internal domain is a .local one, say company.local; but the Internet domain, normally, is something different, let's say mycompany.com. How can I use a certificate named storefront.mycompany.com and let it go to the storefrontvhost.company.local without any issue or warnings? Should I do some changes on IIS or what?

 

Thanks in advance and regards,

Mohammad

Link to comment
Share on other sites

Hi Mohammad,

 

1. Yes you can enable HTTPS on storefront. You can have internet facing Storefront without Netscaler but not recommend. Storefront is an IIS server so on the firewall NAT to your storefront IP. I would say you must use the Netscaler. I am not getting what do you mean by saying "publish my VDA servers on the Internet too" in order to access from outside  world you need to published some resources like Apps or Desktops. I have doubt this will not work but you may try.

 

 

2. You can have any SSL certificate you want as long as you own the domain. Local domain name doesn't matter. You just install the certificate on the Storefront and bind within the IIS.

 

Thanks 

Manoj

 

Link to comment
Share on other sites

5 minutes ago, Manoj Rana said:

Hi Mohammad,

 

1. Yes you can enable HTTPS on storefront. You can have internet facing Storefront without Netscaler but not recommend. Storefront is an IIS server so on the firewall NAT to your storefront IP. I would say you must use the Netscaler. I am not getting what do you mean by saying "publish my VDA servers on the Internet too" in order to access from outside  world you need to published some resources like Apps or Desktops.

 

2. You can have any SSL certificate you want as long as you own the domain. Local domain name doesn't matter. You just install the certificate on the Storefront and bind within the IIS.

 

Thanks 

Manoj

 

 

Hi Manoj and thanks but:

 

1- If connection is changed to HTTPS and because I've got firewalls in the way between, I think I'd be safe to a great extent (Just like any Internet-facing published server)

And about the section you said didn't get what I mean :

 

Storefront is published with the name "storefront.mycompany.com" with Internet address 100.100.100.100 which is NAT'ed to internal storefront "storefrontvhost.company.local "

But VDA server, let's say VDASRV.company.local is not NAT'ed with a Public IP address and not reachable directly through Internet.

 

Does this scenario work? I mean does the whole traffic between remote clients and VDA server goes through the Storefront server? Or I need the Netscaler gateway to do this?

 

2- You mean I can use a certificate with the name "storefront.mycompany.com", install it on the storefront server which is named  storefrontvhost.company.local (in internal domain) and change the IIS to accept requests coming on "storefront.mycompany.com"? (Just create a binding with this name and assign the cert to it? No problem or no need to change any settings?)

 

Regards.

Mohammad

Link to comment
Share on other sites

Mohammad,

 

Check this post seems it is not possible. You can deploy Netscaler VPX Express which is free but limited to 5MBit bandwidth and users.

 

2. From external world it doesn't matter what is your internal domain name as you long your SSL cert match with DNS name it will work. I have deployed in so many environments where ssl cert doesn't match with internal domain. Don't need to chage anything special on IIS just bind to the web application. No additional setting require.

 

Thanks 

Manoj

 

 

  • Like 1
Link to comment
Share on other sites

32 minutes ago, Manoj Rana said:

Mohammad,

 

Check this post seems it is not possible. You can deploy Netscaler VPX Express which is free but limited to 5MBit bandwidth and users.

 

2. From external world it doesn't matter what is your internal domain name as you long your SSL cert match with DNS name it will work. I have deployed in so many environments where ssl cert doesn't match with internal domain. Don't need to chage anything special on IIS just bind to the web application. No additional setting require.

 

Thanks 

Manoj

 

 

 

Aha I see.

 

And Dear Manoj, As you have many implementation experiences, have you ever used any other reverse proxy, especially the open source and free ones or Microsoft TMG (Cause I have it on my network, or NSX or so) ?

 

Also about VPX, Would you please help me about the difference between Netscaler gateway and Citrix gateway and also ADC? It seems that the latter is the new replacement. Am I right?

 

Lastly, When I go to download VPX, after entering all contact info, it says:

 

Citrix Networking VPX Express free trial

This download is no longer available. If you are interested in experiencing the product

 

Is the free VPX (5 or 20 Mbps) still available to use free of charge?

 

 

 

 

 

 

Link to comment
Share on other sites

Hi Mohammad,

 

I am sorry I don't have any other implementation experience as you have mentioned above. If you try other then Netscaler gateway you may end up with lot of issues  such as firewall rules etc.

 

Netscaler gateway and Citrix gateway and also ADC are same in term of OS but there are multiple differences depending on the licenses used. Citrix NetScaler refers to their Application Delivery Controller, or ADC, line of products, while the NetScaler Gateway, formerly known as the Citrix Access Gateway, or CAG, is primarily used for secure remote access to XenDesktop/ XenApp environments.

 

It seems Citrix stop On-Premises FREEMIUM Edition I didn't know that until today. You can buy basic ADC VPX Standard Edition, 10 Mbps may cost less than $2.5k or just Gateway On-Premises Enterprise VPX License which is i think lot cheaper may be around $600.

 

Thanks

Manoj.

 

Link to comment
Share on other sites

8 hours ago, Manoj Rana said:

Hi Mohammad,

 

I am sorry I don't have any other implementation experience as you have mentioned above. If you try other then Netscaler gateway you may end up with lot of issues  such as firewall rules etc.

 

Netscaler gateway and Citrix gateway and also ADC are same in term of OS but there are multiple differences depending on the licenses used. Citrix NetScaler refers to their Application Delivery Controller, or ADC, line of products, while the NetScaler Gateway, formerly known as the Citrix Access Gateway, or CAG, is primarily used for secure remote access to XenDesktop/ XenApp environments.

 

It seems Citrix stop On-Premises FREEMIUM Edition I didn't know that until today. You can buy basic ADC VPX Standard Edition, 10 Mbps may cost less than $2.5k or just Gateway On-Premises Enterprise VPX License which is i think lot cheaper may be around $600.

 

Thanks

Manoj.

 

 

Oops .. So to conclude, without Netscaler gateway or ADC, whose free edition is not available anymore, the HTTPS publishing of Storefront is unavailable unless VDA servers are published and Internet facing too.

 

Thanks

Link to comment
Share on other sites

  • 2 years later...

Hello Mohammad

There is always the option to publish access to a Citrix environment without a security appliance like the NetScaler/Citrix ADC. You will need to open a big list of ports and it will make your internal network open to all who would want to break in. Citrix ADC is available as a free version for small deployments, so as suggested it would be a better option.

 

If you don’t want to do that (for whatever reason), there are a number of other ways to get access. VPN access would always be better than nothing. Citrix still have its ADC for use with its gateway, but now also have a Zero Trust secure access option called SPA which is inexpensive and pretty sophisticated. 

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...